Original reporting and feature articles on the latest privacy developments

BELGIUM—Time to Comply with the Amended Telecom Act

The amendments to the Belgian Act on Electronic Communications (Telecom Act) entered into force on October 1, 2012. Amongst other things, the amended Telecom Act introduces a requirement for opt-in consent for cookies and a data breach notification obligation for telecommunications providers.

Opt-in Consent for Cookies

Many companies use cookies on their websites for a variety of purposes. Previously, placing cookies was allowed if the user was informed about the cookie prior to its installation and if the user was granted the opportunity to object. Now, the Telecom Act requires companies to obtain the user’s opt-in consent, unless the cookie is strictly necessary to transmit a communication over an electronic communication network or to provide services explicitly requested by the user. Furthermore, users must always have the opportunity to withdraw their consent easily and free of charge. In practice, this implies that companies using cookies will have to redesign their websites in a way that the user’s consent can be obtained prior to installing any cookie—where the cookie use does not fall within one of the abovementioned exemptions. This may be done, for example, by implementing a banner or pop-up message requiring users to tick a box to indicate their consent to the use of cookies. Furthermore, a practical procedure needs to be implemented for users who want to withdraw their consent.

Data Breach Notification Obligation for Telecom Providers

The amended Telecom Act introduces a data breach notification obligation for providers of public electronic communication services (i.e. services that mainly consist of transferring signals over an electronic communication network). This implies that these providers are now required to immediately report any kind of security breach effecting personal data to the Belgian Institute for Postal Services and Telecommunications (BIPT). Furthermore, if the data breach is likely to negatively affect personal data and the privacy of clients or other individuals, these individuals should also be informed without delay, unless the company can demonstrate to the BIPT that the affected personal data is protected by information security measures, which render the data incomprehensible for unauthorized third parties (e.g. encryption techniques). Data breach notices to individuals should contain information on the nature of the data breach, the persons or services that individuals can contact for more information, as well as the measures which individuals can take to mitigate the negative effects of the data breach. In addition, the data breach notification to the BIPT should contain a description of the consequences of the data breach and the actions which the company intends to take or has already taken to address the data breach. In practice, companies subject to the data breach notification obligations should anticipate potential data breaches, for example by preparing operating procedures and notification templates which are ready to use, since the BIPT and the concerned individuals should be notified without delay. Furthermore, it is also required to keep a register of the data breaches that contains information on the facts of the data breach, the consequences and the measures taken to address the incident.

Written By

Jan Dhont

Written By

David Dumont

0 Comments

If you want to comment on this post, you need to login

Related

Google is appealing the CNIL’s formal notice that the company honor right-to-be-forgotten requests globally. In a blog post, Google Global Privacy Counsel Peter Fleischer writes, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so … But as a matter of principle, we respectfully disagree with the idea that a national data protection authority can assert global authority to control the content that people can acce...
Read more

The Wall Street Journal reports on a partnership between Google and Silent Circle, the maker of a privacy-centric Blackphone. Through this partnership, the next version of the Blackphone will come equipped with Google’s Android for Work software, which allows users to compartmentalize personal and professional use and also “collects huge amounts of user data to sell advertising,” the report states, asking, “So why would Silent Circle, which is intensely concerned with privacy, team up with the l...
Read more

Experts say that while incredibly promising, the Internet of Things brings with its advent much to consider, The Guardian reports. “Just imagine smart meters, which are great for reducing energy use and shrinking bills,” said KPMG’s Mark Thompson, CIPP/E, CIPM, CIPT. “You could have the energy regulator, Ofgem, involved as well as Ofcom, because the data’s going over a broadband connection. Then, because there’s data involved, the Information Commissioner’s Office is bound to have an interest.” ...
Read more

Greetings from Dublin!
Back in the city of my birth for a fleeting visit, a few meetings and a meal with the Irish information security community courtesy of ISACA Ireland (Information Systems Audit & Control Association).
August is almost upon us, and if you know Brussels, then you’ll appreciate that folks have been slowly fleeing the city for sunnier climes in the last weeks. Although still operational, I can sense the change of daily pace in the European quarter; I can drive my car unhi...
Read more

ComputerWeekly reports that “relatively few businesses in The Netherlands are familiar with the planned General Data Protection Regulation (GDPR).” That’s according to Pieter Lacroix, managing director for the Benelux region at security firm Sophos, who says many organizations have a long way to go before they’ll be able to meet the requirements of the GDPR. Sophos research indicates half of 1,500 respondents surveyed are unaware of their organizations’ data protection policy and only 51 percent...
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.